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DESCRIPTION 

AES MIXCOLUMN TRANSFORM 

5 

The present invention relates to methods and apparatus for 
implementation of the Advanced Encryption Standard (AES) algorithm and in 
particular to methods and apparatus for performing the matrix multiplication 
operation that constitutes the AES MixColiimn transformation in each of the 

10 encryption and decryption rounds of the algorithm. 

The invention has particular, though not exclusive, application in 
cryptographic devices such as those installed in smart cards and other devices 
where processor and memory resources are somewhat limited and many 
operations of the cryptographic algorithm are performed in dedicated ASIC or 

15 FPGA hardware. 

The AES algorithm has wide application in the encryption of data to be 
transmitted in a secure fashion. One application is in the transmittal of 
personal and/or financial information from a smartcard to a card reader device. 

20 Confidential data stored on the card must not be retrieved from the card except 
in encrypted form to ensure that the data so retrieved cannot be intercepted 
and read by an unauthorised third party. Only the authorised reader is able to 
decrypt the data retrieved from the card. 

Similarly, data supplied by the card reader to be stored in the card must 

25 be passed to the card in encrypted form, and decrypted by the card for storage 
and subsequent retrieval. 

While the AES algorithm is relatively straightforward to implement in a 
conventional computer system deploying state of the art processor and 
memory circuits, in a smartcard application, the processor and memory 

30 resource is very limited, and many functions must be executed in dedicated 
hardware, such as ASICs or FPGAs. 
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There is therefore a requirement for hardware implementations of the 
procedures required in the AES algorithm which implementations require the 
minimum use of hardware resource. 

It is an object of the present invention to provide suitable circuitry for 
effecting the MixColumn transform deployed in the standard AES (Rijndael) 
cryptographic algorithm, both for encryption and decryption. 

According to one aspect, the present invention provides a logic circuit 
for multiplication of an (m x n) matrix by a (1 x n) or by a (m x 1 ) matrix, where 
m is a number of rows and n is a number of columns, and wherein each 
successive row m, of n elements is a predetermined row permutation of a 
preceding row, the circuit comprising: 

n multiplication circuits each having an input and an output which 
returns the value of said input multiplied by a predetermined multiplicand; 

n logic circuits, each for executing a predetermined logical combination 
of a first input and. a second input to provide a logical output, the first input 
being coupled to the output of a corresponding one of the n multiplication 
circuits; 

n registers for receiving said logical output; 

feedback logic for routing the contents of each register to a selected 
one of the second inputs in accordance with a feedback plan that corresponds 
to the predetermined row permutation; and 

control means for successively providing as input to each of the n 
multiplication circuits each element in the (1 x n) or (m x 1) matrix. 

Embodiments of the present invention will now be described by way of 
example and with reference to the accompanying drawings in which: 

Figure 1 is a flow diagram illustrating implementation of an encryption 
operation using the AES block cipher algorithm; and 

Figure 2 is a schematic diagram of a functional logic block for 
performing the MixColumns transform. 
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The AES algorithm for encryption of plaintext to ciphertext is shown in 
figure 1. The AES algorithm may be implemented using a 128-bit, a 192-bit or 
a 256-bit key operating on successive 128-bit blocks of input data. The 
present invention is applicable to all of these implementations. Figure 1 will 
5 now be described in the context of the basic implementation using a 128-bit 
key. 

An initial 128-bit block of input plaintext 10 is XOR-combined 1 1 with an 
original 128-bit key 12 in an initial round 15. The output 13 from this initial 
round 15 is then passed through a number of repeated transform stages, in an 
10 encryption round 28 which includes the SubBytes transform 20, the ShiftRows 
transform 21 and the MixColumns transform 22 in accordance with the defined 
AES algorithm. 

The output from the MixColumns transform 22 is XOR-combined 23 
with a new 128-bit round key 26, which has been derived 25 from the initial 
15 (original) key 12. The output from this XOR-combination 23 is fed back to 
pass through the encryption round 28 a further number of times, the number 
depending upon the particular implementation of the algorithm. 

For each successive iteration through the encryption round 28, a new 
round key 26' is derived from the existing round key 26 according to the AES 
20 round key schedule. 

The number of iterations (Nr - 1) of the encryption round 28 is nine 
where a 128-bit encryption key is being used, eleven where a 192-bit 
encryption key is being used, and thirteen where a 256-bit encryption key is 
being used. 

25 After the requisite number (Nr - 1 ) of encryption rounds 28, a final 

round, Nr, is entered under the control of decision box 24. The final round 30 
comprises a further SubBytes transform 31, a further ShiftRows transform 32, 
and a subsequent XOR-combination 33 of the result with a final round key 36 
generated 35 from the previous round key. The output therefrom comprises 

30 the ciphertext output 39 of the encryption algorithm. 

The present invention relates particularly to the performing of the 
MixColumns transform 22. Through the rounds 28, 30, the 128-bit blocks 
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being processed are conveniently represented as 16 8-bit blocks in a 4 x 4 

matrix, as Srow, column i 

according to the pattern, 



So.o 


So,1 


So,2 


So,3 


S-1,0 


S1.1 


S 1,2 


S1.3 


S2.0 


S2.1 


S2,2 


S2.3 


S3,0 


S3.1 


S3.2 


S3.3 



In the MixColumns transform 22, the columns of this state are 
considered as polynomials over GF(2 8 ) and multiplied modulo (x 4 + 1) with a 
predetermined fixed polynomial a(x), given by: 

io 

a(x) = a 3 x 3 + a 2 x* + aix + a 0l 

in which, represented as hexadecimal values, 

15 a 3 = 03 h 

a 2 = 01 h 
ai = 01 h 
a 0 = 02 h. 

20 The polynomial is co-prime to x 4 + 1 and is therefore invertible. 

For encryption, the MixColumns transform can therefore be expressed 

as 

s r ,c -> sV.c, for each of the columns in s. 
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S Op 




'a 0 a 3 a 2 




5 0,0 


'02 03 01 Of 




s '.p 




a, a 0 a 3 a 2 




Si,c . 


01020301 


S l.c 






a 2 a, a 0 a 3 




S 2.c 


" 01010203 


S 2,c 




^a 3 a 2 a l a 0> 






^03010102, 


0»J 



The evaluation of this matrix multiplication is: 



S'o.o = {02}*s 0 ,c © {03}*Si,c© s 2 ,c © s 3 ,c 
s'i, c = so.c © {02}*si. c © {03}* s 2 ,c © s 3 .c 

S'2.0 = S 0 ,c © S1.C© {02}* S2,c © {03} S 3 ,c 
10 S'3,0 = {03}*S 0 .c © S1.C© s 2lC © {02}*S 3 .c 



15 



During decryption, the inverse of this operation is required. It is given 
by the following matrix multiplication. 







fs \ 

b 0,c 




. *>A b 3 b 2 


S l.c 




' b r b^\b 3 


He 




^b 3 b 2 6, b 0J 


l S 3.0 J 







f §E 05 05 09^ 
090£0£0Z> 
CD 09 0E0B 

[0B0D090E) 



The evaluation of this matrix multiplication is: 

20 s'o.c = {OE}*s 0 ,c ®{0B}* Sl .c ©{0Drs 2lC ffi{09}*s 3 .c 

s'i,c = {09}*So.c ©{0E}*s 1iC ®{0B}*s 2 .c ©{0D}*s 3 ,c 

s'2.0 = {0D}*s 0 ,o © {09}*su © {0E}*s 2 ,c © {0B}*s 3 .c 

S-3.C = {0B}*s 0 ,c © {0D}*s 1iC © {09}*s 2 .c © {0E}*s 3 . c 
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It is noted that the MixColumns transform matrix has the special 
property that each successive row is a shifted or rotated version of the 
preceding row. In general, each element in a row appears in every row but in 
a different position in the row, and specifically, for the MixColumns transform 
5 matrix the different position of each element for each row constitutes a single 
position right shift or rotation. 

According to the present invention, it has been recognised that this 
property allows the multiplication of each column of the state s to be achieved 
with significantly reduced hardware. 
10 Figure 2 illustrates an exemplary embodiment of hardware logic 50 

adapted for the multiplication of an m x n matrix by a 1 x n matrix, in which the 
relationship between each successive row of n elements of the m x n matrix is 
a predetermined row shift. For the AES MixColumns transform, m = 4, n = 4 
and the predetermined relationship is a single right shift. 

15 

The logic 50 comprises four 8-bit multiplication circuits 60 ... 63, four 8- 
bit XOR gates 70 ... 73 and four feedback / output registers 80 ... 83, shown as 
MixColo ... MixCol 3 . Each multiplication circuit 70 ... 73 is adapted for 
multiplication of an input by one of the matrix coefficients c 0l c 1t c 2l c 3 . Each of 

20 the XOR gates 70 ... 73 may be implemented using any appropriate 
combination of logic elements required to execute the appropriate logical 
combination of two inputs, as described hereinafter. 

For encryption rounds, the values of c 0 ... C3 are, respectively, a 0 ... a 3 
as defined above. For decryption rounds, the values of Co ... c 3 are, 

25 respectively, b 0 ... b 3 as defined above. The output of each multiplication 
circuit 60 ... 63 is coupled to a first input of a corresponding XOR gate 70 ... 
73. The output of each XOR gate 70 ... 73. is coupled to a corresponding 
MixCol register 80 ... 83. The output of each MixCol register 80 ... 83 is 
coupled to the second input of one of the XOR gates 70 ... 73 according to a 

30 feedback plan 90 ... 93 that corresponds to the row shift function that defines 
the relationship between successive rows of the matrix. In the present case, 
the feedback plan 90 ... 93 implements the right row shift function between 
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successive rows of the matrices a r , c (encryption) and b r . c (decryption) - more 
generally the matrix Cr, c * 

During operation of the circuit 50, s 0c , Si Cl s 2c , s 3c are sequentially 
offered to the multiplication logic 60 ... 63 on successive cycles. At the outset 
5 of each column multiplication, the registers MixColo to MixCol 3 are pre-set to 
zero. 

After the 1 st cycle: 
MixColo = co.soc 
io MixColi = ci.Soc 
MixCol 2 = c 2 .s 0c 
MixCoI 3 = C3.S0C 

After the 2 nd cycle: 
15 MixColo = co.sic © ci .s 0c 
MixCoh = ci.sic© c 2 .Soc 
MixCol 2 = c 2 .s 1c ® C3.S0C 
MixCol 3 = C3.S1C© Co.soc 

20 After the 3 rd cycle: 

MixColo = Co.s 2c © Ci.Sic© c 2 .s 0c 
MixCoh = Ci.s 2c © c 2 .si c © c 3 .soc 
MixCol 2 = c 2 .s 2c © c 3 .s 1c © cq.Soc 
MixCob = C3.s 2c © co.sic © Ci.Soc 

25 

After the 4 th cycle: 

MixColo = c 0 .s 3c © ci.s 2c © c 2 .sic© C3.S0C 
MixCoh = ci.s 3c © c 2 .s 2c © C3.S1C© co.soc 
MixCol 2 = c 2 .s 3c © c 3 .s 2c ©Co.sic© Ci.Soc 
30 MixCol 3 = c 3 .S3c © Co.s 2c © Ci.Sic © c 2 .s 0c 
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o 



outputs: 



10 



15 



20 



MixColi = s'o.c 
MixCol 2 = s'i lC 
MixCol 3 = S2 lC 
.MixColo = s'o.c 



which is the required result 

gate s 70 ... 73, and 80 W ^ . 

For Co * s.* *» *a P ^ d = 1 for decwtion: 
... 63 is defined as ecyoie. bit, ana a 



eo7 = s 6 XNORNAND(d, s 45 ) 
eo6 = s 5 XNOR NAND(d, s 347 ) 
e 05 = s 4 XNOR NAND(d, s 236 ) 
e 0 4 = s 3 7 XNOR NAND(d, s 125 ) 
25 e 03 = s 2 7 XNOR NAND(d, S0157) 
eo2 = S17 XNOR NAND(d, Sosbt) 
e 01 = s 0 XNOR NAND(d, s 67 ) 
e 01 = s 7 XNOR NAND(d,s 56 ) 



30 



Similarly, for C1 x s 1lC : 



= s 7 XNOR NAND(d,s 4 ) 
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eie = s 6 XNOR NAND(d, s 37 ) 
eis = s 5 XNOR NAND(d, s 26 7) 
ei4 = s 4 XNOR NAND(d, Sise?) 
eis = s 3 XNOR NAND(d, Sose) 
5 ei2 = s 2 XNOR NAND(d, s 57 ) 
en = Si XNOR NAND(d, s 6 ) 
eio = s 0 XNOR NAND(d, s 9 ) 

Similarly, for c 2 x s 2 , c : 



e 27 = S7XNOR NAND(d, s 45 ) 
e 26 = s 6 XNOR NAND(d, S347) 
e 25 = s 5 XNOR NAND(d, s 236 ) 
e 24 = s 4 XNOR NAND(d, s 125 ) 
15 e 23 = s 3 XNOR NAND(d, S015) 
e22 = s 2 XNOR NAND(d, s 05 67) 
621 = 81 XNOR NAND(d, s 67 ) 
e20 = So XNOR NAND(d,s 5 6) 



e 37 = XNOR NAND(d, s 4 ) 
e 36 = s 56 XNOR NAND(d, s 37 ) 
e 35 = s 45 XNOR NAND(d, s 267 ) 

25 634 = SJ4 7 XNOR NAND(d, Si56 7 ) 

e 33 = s 23 XOR s 7 XNOR NAND(d, Sose) 
e 32 = S12 XOR s 7 XNOR NAND(d, s 57 ) 
eai = S01 XNOR NAND(d, s 6 ) 
e 30 = s 07 XNOR NAND(d, s 5 ) 



10 



20 



Similarly, for c 3 x s 3 , 0 : 



30 



where: 



PHNL020535 



a 6 7 = as XOR a 7 
a 0 7 = ao XOR a 7 
a 34 = a 3 XORa 4 

a567 = 37 XOR a 5 6 
5 ai25 = ai2 XOR as 
ai567 = ai7 XOR a 56 
a 37 = a 3 XOR a 7 
a 67 = a 5 XOR a 7 
a 2 3 = Q2 XOR a 3 
10 a 0 56 = ao XOR a 5 6 
a267 = a 2 XOR a6 7 
a27 = a 2 XOR a 7 
a 56 = a 5 XOR a 6 
a i2 = a 1 XOR a 2 
15 a347 = a 3 4 XOR 87 
a 0 i57 = aoi XOR a 5 7 
a 17 = ai XOR a 7 
a 45 = a 4 XOR a 5 
aoi = ao XOR a! 
20 a 23 6 = a 23 XOR a6 
aos67 = ao7 XOR a 5 6 

This requires 23 XOR gates, 32 XNOR gates and 32 NAND gates. 
Other embodiments are intentionally within the scope of 
25 accompanying claims. 
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CLAIMS 



1 . A logic circuit for multiplication of an (m x n) matrix by a (1 x n) or 
by a (m x 1) matrix, where m is a number of rows and n is a number of 
s columns, and wherein each successive row m of n elements is a 
predetermined row permutation of a preceding row, the circuit comprising: 

n multiplication circuits each having an input and an output which 
returns the value of said input multiplied by a predetermined multiplicand; 

n logic circuits, each for executing a predetermined logical combination 
io of a first input and a second input to provide a logical output, the first input 
being coupled to the output of a corresponding one of the n multiplication 
circuits; 

n registers for receiving said logical output; 

feedback logic for routing the contents of each register to a selected 
is one of the second inputs in accordance with a feedback plan that corresponds 
to the predetermined row permutation; and 

control means for successively providing as input to each of the n 
multiplication circuits each element in the (1 x n) or (m x 1 ) matrix. 

20 2 . The logic circuit of claim 1 in which the feedback logic provides a 

feedback plan corresponding to said predetermined row permutation that is a 
row shift. 

3. The logic circuit of claim 2 in which the row shift is a single 
25 element right shift. 

4. The logic circuit of claim 1 in which the n logic circuits are each 
adapted to execute an XOR-combination of said first input and said second 
input. 

30 
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5 The logic circuK of claim 1 in which each of the predetermined 
mufflp ,lcands corresponds to one o, «he elements In the AES Riindae, 
MixColumns transform function. 

6 The logic circuit of claim 5 in which the number m = 4, the 
number' n = 4 the multiplicand for the first multiplication circuit = 02, the 
ZZ cand for the second .ultip.ication Ccuit = 03, the multiplicand for the 
Z muttipHcation circuit = 01 . and the multiplicand for the fourth mu,t,p„cat,on 



circuit = 01 . 
7. 



7 The logic circuit of claim 5 in which the number m = 4, the 
number'n = 4, the multiplicand for the first multiplication circuit = MS. the 
ml plicand for the second multiplication circuit - OB, the multiphcand for the 
r h riuCca«on circuit = 00. and the mu.tiplicand for the fourth mu.tiplicat.on 

15 circuit = 09. 

« The logic circuit of claim 6 or claim 7 in which the four 
n^plicands are swHchable between the values In Calm 6 and fhe values In 
claim 7. 



o The logic circuit of claim 1 In which the control means is adapted 
to successively provide as inpu. to each o, fhe n multiplication CrcuKs ear* 
suocessive element In the (1 x n) or (m * 1) matrix over each of n or m cycles 
of operation respectively. 

10 The logic circuK of claim 1 in which each of the n multiplication 
CrcuKs. each of me n logic eta*, and each of .he n registers are a, leas, 
eight bits wide. 

1 1 The logic circuit of claim 1 in which the control means further 
includes means for providing as output from said logic circuit me contents o, 
the n registers after each nth cycle. 
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12. The logic circuit of claim 1 in which the control means further 
includes means for resetting each of the registers prior to the first calculation 
cycle. 

13. The logic circuit of claim 1 in which each successive row m of n 
elements is a predetermined row permutation of the immediately preceding 
row. 

14. An AES MixColumns transform circuit incorporating the logic 
circuit of any one of claims 1 to 13. 

15. An AES encryption and/or decryption engine incorporating the 
logic circuit of any one of claims 1 to 13 for performing the MixColumns 
transform. 

16. Apparatus substantially as described herein with reference to the 
accompanying drawings. 
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ABSTRACT 

AES MIXCOLUMN TRANSFORM 

5 A simplified logic circuit for performing the AES Rijndael MixColumns 

transform exploits the common relationship between each of the successive 
rows of the transform matrix and its preceding row. A logic circuit for 
performing multiplication of an (m x n) matrix by a (1 x n) or by a (m x 1) 
matrix, where m is a number of rows and n is a number of columns, and where 

io each successive row, m. of n elements is a predetermined row permutation of 
a preceding row comprises: n multiplication circuits; n logic circuits; n registers 
for receiving logical output from the logic circuits; feedback logic for routing the 
contents of each register to a selected one of inputs of the logic circuits in 
accordance with a feedback plan that corresponds to the common relationship 

is between successive matrix rows; and control means for successively providing 
as input to each of the n multiplication circuits each element in the (1 x n) or (m 
x 1) matrix. 



(Figure 2) 
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